View Single Post
  #2   (View Single Post)  
Old 16th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

If memory serves correctly, there's a fairly good tutorial/how-to using authpf and a redirect to a virtual webserver to show an unauthorized host they're blocked .... in Dru Levigne's "BSD Hacks" book. Memory may not serve correctly; but as I'm currently using it or something similar, I'll post what I have here.

The client ssh configurations (putty or openssh) use dynamic tunneling with an sshd-provided SOCKS proxy, so once configured, they browse the web through the proxy for encrypted communication.

For openssh, it's a "DynamicForward <port#>" -- putty has a dynamic tunnel configuration in its GUI. The browsers just use a SOCKS proxy at 127.0.0.1:<port#>

Excerpt from pf.conf:
Code:
table <authpf_users> persist counters
.
.
.
nat-anchor "authpf/*"
.
.
.
#
# redirect unauthorized IP users to a local web page
#
no rdr proto tcp from {<authpf_users> <other_approved_users> } to any port www
rdr pass log proto tcp from $internal_net to any port www \
    -> 127.0.0.1 port 8080
.
.
.
rdr-anchor "authpf/*"
.
.
.
binat-anchor "authpf/*"
.
.
.
# Allow ssh on internal net just to the firewall, for authpf:
#
pass in log on $internal_nic proto tcp to $internal_nic port ssh
.
.
.
anchor "authpf/*"
I won't bother with /etc/authpf.rules or /etc/authpf.message, those are simple enough.

Here's an excerpt from /var/www/conf/httpd.conf:
Code:
Listen 127.0.0.1:8080
.
.
.
<VirtualHost 127.0.0.1:8080>
        ServerAdmin none
    DocumentRoot /var/www/auth
    ErrorDocument 404 /index.html
</VirtualHost>
/var/www/auth/index.html is my message to those who have not authenticated.

Last edited by jggimi; 16th April 2009 at 11:50 AM.
Reply With Quote